Don’t worry about shadow IT. Shadow IoT is much worse.

For years, IT departments have been railing about the dangers of shadow IT and bring-your-own-device. The worry is that these unauthorized practices bring risks to corporate systems, introducing new vulnerabilities and increasing the attack surface.

That may be true, but it’s not the whole story. As I’ve long argued, shadow IT may increase risks, but it can also cut costs, boost productivity and speed innovation. That’s why users are often so eager to circumvent what they see as slow and conservative IT departments by adopting increasingly powerful and affordable consumer and cloud-based alternatives, with or without the blessing of the powers that be. Just as important, there’s plenty of evidence of that enlightened IT departments should work to leverage those new approaches to serve their internal customers in a more agile manner.

Shadow IoT takes shadow IT to the next level

So far so good. But this reasoning emphatically does not carry over to the emerging practice of shadow IoT, which has become a growing concern in the last year or so. Basically, we are talking about when people in your organization add internet-connected devices (or worse, entire IoT networks!) without IT’s knowledge.

Those renegades are likely seeking the same speed and flexibility that drove shadow IT, but they are taking a far bigger risk for a much smaller reward. Shadow IoT takes shadow IT to another level, with the potential for many more devices as well as new types of devices and use cases, not to mention the addition of wholly new networks and technologies.

Why shadow IoT is worse than shadow IT

According to a 2018 report from 802 Secure, “IoT introduces new operating systems, protocols and wireless frequencies. Companies that rely on legacy security technologies are blind to this rampant IoT threat. Organizations need to broaden their view into these invisible devices and networks to identify rogue IoT devices on the network, visibility into shadow-IoT networks, and detection of nearby threats such as drones and spy cameras.”

The report noted that all of the organizations surveyed had rogue consumer IoT wireless devices on their enterprise networks, and nine out of 10 had shadow IoT/IIoT wireless networks, defined as “undetected company-deployed wireless networks separate from the enterprise infrastructure.”

Similarly, a 2018 Infoblox report found that a third of companies have more than 1,000 shadow-IoT devices connected to their networks on a typical day, including fitness trackers, digital assistants, smart TVs, smart appliances and gaming consoles. (And yes, Infoblox is talking about enterprise networks.)

It gets worse. Many of these consumer IoT devices don’t even try to be secure. And, per Microsoft, criminal and state-sponsored actors are already weaponizing these devices and networks (both shadow and IT-approved), as shown by the Mirai botnet and many others.

One more thing: Unlike cloud and consumer shadow IT, shadow IoT implementations often don’t provide additional levels of speed, agility or usability, meaning that organizations are not getting much benefit in exchange for the heightened risks. But that doesn’t seem to be stopping people from using them on corporate networks.

Security basics

Fortunately, protecting your organization from shadow IoT isn’t so different from security best practices for other threats, including shadow IT.

Education: Make sure your team is aware of the threat and try to get their buy-in on key IoT policies and security measures. According to that 802 Secure report, “88 percent of IT leaders in the US and UK believed they had an effective policy in place for mitigating security risks from connected devices. But a full 24 percent of employees represented in the survey said they did not even know such policies existed, while a bare 20 percent of the people who professed knowledge of these policies actually abided by them.” Sure, you’ll never get 100 percent participation, but people can’t follow a policy they don’t know exists.

Assimilation: Create policies to let team members easily connect their IoT devices and networks to the enterprise network with the IT department’s approval and support. It’s extra work, and some folks will inevitably go rogue anyway, but the more devices you know about, the better.

Isolation: Set up separate networks so you can support approved and shadow IoT devices while protecting your core corporate networks as much as possible.

Monitoring: Make regular checks of connected devices and networks, and proactively search for unknown devices on all your networks.

Recommended for you: How Deception Can Provide Critical Security for IoT Devices

This blog is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. CenturyLink does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user.

Network World

Network World provides deep domain expertise on the modern enterprise data center, including the latest networking, storage, servers, and virtualization technologies. Focused on the decisions faced by data center managers who must build out agile infrastructure and extend their networks to embrace the internet of things, Network World is an invaluable resource in helping enterprises meet strategic business goals.

Subscribe

Categories

CenturyLink is a global communications and IT services company focused on connecting its customers to the power of the digital world. From cloud, connectivity and security services for your business to High-speed Internet, TV and Voice for your home, CenturyLink is your link to the fastest, most reliable, and most secure delivery of data.